Pega continually works to implement security controls that are designed to protect client environments. With this focus, the Pega Robotics team has identified two security vulnerabilities, one rated High (7.2), and the other rated Medium (6.0) on the CVSS scale.
Note: These vulnerabilities are unrelated to the vulnerability reported on December 30, 2025.
High Severity Vulnerability (CVSS 7.2)
Affected Product
- Pega Robotic Automation version 22.1 or R25
- Users running automations in Google Chrome or Microsoft Edge
Risk Description
A bad actor could create a malicious website containing code that targets the Pega Browser Extension (PBE). The vulnerability may be triggered if a Robot Runtime user navigates to such a website.
Medium Severity Vulnerability (CVSS 6.0)
Affected Product
- All versions of Pega Browser Extension (PBE)
Risk Description
A malicious website could target PBE, triggering unexpected behavior—such as displaying an unexpected message box—if a user navigates to that site.
Required Client Action
Update Recommendations
To ensure you remain protected, Pega strongly recommends:
- Install PBE 3.1.45 or later
- Update Robot Studio and Robot Runtime to 25.1.13
PBE 3.1.45 or later is compatible with any version of Robot Studio or Robot Runtime in R25 or 22.1.
Note: If developing automations with R25, update both Robot Studio and Robot Runtime to 25.1.13.
Download Instructions
To download the latest PBE build:
- Go to My Software and download 25.1.13
- If using version 22.1, only the PBE update is required, you do not need to upgrade to R25
- See Downloading Pega Robotic Automation software for more details
Issue Details Summary
|
Issue details |
High vulnerability: Pega Robotic Automation version 22.1 or R25 |
Medium vulnerability: Pega Browser Extension |
|---|---|---|
|
Software product |
Pega Robot Runtime and Pega Browser Extension (PBE) |
Pega Browser Extension (PBE) |
|
Affected versions |
Pega Robotic Automation versions 22.1 and R25 |
All versions of Pega Robotic Automation |
|
CVE |
CVE-2026-1078 |
CVE-2026-1079 |
|
CVSS rating |
High – 7.2 |
Medium – 6.0 |
|
Description |
Pega RPA – Pega Browser Extension (PBE) security vulnerability (Robot Runtime) |
Pega Browser Extension (PBE) security vulnerability (Base PBE) |
Information about these issues, and their remediation, was publicly posted on Pega Support Center on April 6, 2026. Prior to this date we requested clients not discuss this in public forums to help ensure that all customers had adequate time to apply the necessary remediations.
Additional Product Enhancements
Robotic Automation 25.1.12 introduced exciting features, including Robotics Autopilot. Users updating to 25.1.13 will also receive these enhancements.
For details, see New and updated features.
If you have any questions or concerns, please raise a ticket with the Support team.